A web application firewall (WAF) is a form of web application security for online services. It protects a system against cross-site scripting, SQL injections, file inclusion, and other malicious attacks. A web application firewall identifies and filters threats which could compromise online applications.
When a web application firewall is installed, it acts as a “shield” between the web application and the internet. A WAF examines HTTP traffic to and from a web service and only allows permitted data to be transferred. In other words, it acts like a reverse proxy. The server is protected from direct contact with data because it would need to be filtered through the WAF first. Malicious traffic is unable to pass through and any sensitive data is kept safe. Furthermore, it prevents any unapproved data packets to leave the application. This means that data harvesting or extraction is incredibly difficult.
Web application security is a growing necessity since web application attacks are the most common cause of data breaches. While a WAF might not be an ideal stand-alone defence, it serves an important purpose. It bolsters any security protocol by providing an additional layer of defence. According to the OSI model, a WAF functions as a layer 7 defence. Layer 7 is just beneath the surface of most user interfaces in web applications. In this layer, data can be accessed by user-facing interfaces.
A WAF helps protect web applications from any threats to this part of the system. Certain web application attacks such as DDoS attacks take place in layer 7 so it is critical to ensure its safety. Apart from this, a WAF helps monitor data that is being transferred which leads to greater visibility of your network.
What Are The Benefits Of A Web Application Firewall?
A WAF has a few key benefits which make it an essential part of any cyber security system. It is superior to traditional firewalls because it prevents web exploits that bypass the network layer. Here are the most important benefits of a WAF:
- It safeguards customer data by acting as an authentication layer. This greatly boosts a business's credibility. It also leads to more customer satisfaction.
- A WAF is required for regulatory compliances such as PCI and HIPAA.
- A WAF plays a key role in preventing web attacks and protecting sensitive data. This is its primary function, which we will discuss in more detail below.
How does a Web Application Firewall work?
A WAF operates through a programmed set of security rules known as "policies" or security policies. These policies determine the type of data packets that can pass through it. A WAF then analyzes HTTP requests and application traffic. If any incoming traffic is malicious, the application layer does not allow it to go through.
There are two main parts of an HTTP conversation that WAF technology monitors: GET and POST requests. GET requests are used to retrieve data from the server while POST requests are used to send data to a server to change its state.
A WAF takes three different approaches to filter the content in these HTTP requests:
"Whitelisting" means that the WAF will only allow requests that are known to be trusted. This is also known as a positive security model. Intrusion prevention systems benefit from whitelisting. Users can provide a list of what IP addresses are known to be safe for web apps, and the WAF filters data packets to only allow legitimate traffic to pass through.
Whitelisting is usually the more favoured form of filtering. It is simple, offers comprehensive protection, and easy to configure. It is also less resource-intensive than blacklisting. The downside of a whitelisting approach is that it may unintentionally block benign traffic. If a system is intentionally looking for new visitors this may be a suboptimal approach.
Blacklisting is also known as a "negative security" model. It allows all HTTP/S traffic in the absence of traffic that has been identified as malicious. The blacklisting approach uses preset signatures for detecting potentially harmful traffic and blocks any malicious requests.
Blacklisting is a useful approach for public websites and businesses that may receive traffic from unknown IP addresses. Blacklisting is more resource-intensive since it has to continuously filter malicious/bot traffic to prevent application-layer attacks.
Hybrid Security Model
A hybrid security model uses elements of both whitelisting and blacklisting. It may have parameters set into the source code which mimic a whitelist model; while also actively scanning for
It is important to note that a WAF works to analyze HTTP interactions and reduce or, ideally, eliminate malicious traffic before it reaches a server for processing. These three different approaches are simply based on each application's unique requirements.
What are the different types of Web Application Firewalls?
There are three different "types of" WAFs; although a better way to explain this is that a WAF can be implemented in three different ways.
A host-based WAF is a firewall that can be completely integrated within the software of web applications. These are commonly used by smaller businesses as they are cheap and offer a high degree of customisation. On the flip side, a WAF is complex to implement, needs constant maintenance and takes up local server resources to operate. The components involved in a host-based WAF will require engineering expertise and a lot of time for set-up as the software is installed locally.
A network-based WAF is also known as a hardware-based WAF. This is a more traditional option for a WAF. It provides low latency and high reliability but this is also very expensive to implement. Maintenance and storage of physical equipment is also a hassle, therefore it is only a realistic choice for larger enterprises.
A cloud-based WAF is a SaaS solution. In this model, a business pays a monthly fee for a third party to handle the maintenance and operation of the WAF. It is an affordable option for smaller businesses which is its biggest draw. The implementation is also easy (in most cases, it is a turnkey installation that is fast and effective.) However, since there is a third party involved a business will not have complete visibility. This is a drawback of cloud-based WAFs to keep in mind.
What Types of Attacks Can WAFs Prevent?
WAF security can prevent many common attacks based on its ability to monitor traffic patterns. Some of them are:
- SQL injections — Malicious code is inserted or injected into a web entry field that allows attackers to compromise the application and underlying systems.
- Cross-site Scripting (also known as XSS) — Attackers inject client-side scripts into web pages viewed by other users.
- Unvalidated input — Attackers tamper with HTTP request (including the url, headers and form fields) to bypass the site’s security mechanisms.
- Web scraping — Data scraping used for extracting data from websites.
- Layer 7 DoS — An HTTP flood attack that utilises valid requests in typical URL data retrievals.
- Cookie poisoning — Modification of a cookie to gain unauthorised information about the user for purposes such as identity theft.
Augment your WAF with Automated Penetration Testing
A web application firewall is an effective tool, but it is usually part of a more comprehensive security system. It is important to note that it is not made to defend against all kinds of attacks.
Penetration testing is often used to augment a web application firewall in the context of web app security. Both tools have a synergistic effect which will fortify any application against threats.
Heyhack provides automated web application security testing for SaaS businesses. If you’d like to know more about how we can help you, get in touch!